Communication apparatus, communication method, and recording medium

ABSTRACT

There is disclosed a communication apparatus that operates as a client of a first server having a referral function for referring the communication apparatus to a second server that performs an operation requested by the communication apparatus. The communication apparatus comprises a requesting unit that sends, to the first server or the second server that manages information about a user of the communication apparatus, a request for the operation for applying a use restriction of one or more functions of the communication apparatus, a setting unit that determines whether to enable or disable a referral using the referral function, and a use restricting unit that applies the use restriction of one or more functions of the communication apparatus according to a response to the request sent from the requesting unit and the determination by the setting unit.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to a communication device such as an imageforming apparatus including a copier, a printer, a scanner, a facsimile,a complex device, and a multifunction device, and an informationprocessing apparatus including a personal computer; a communicationmethod; and a recording medium.

2. Description of the Related Art

In recent year, complex devices and multifunction devices having copy,printer, scanner, and facsimile functions have been available in themarket. The complex devices can print images on paper when used ascopiers or printers, scan images from originals when used as copiers orscanners, and send and receive images to and from other communicationapparatuses through telephone lines when used as facsimiles.

<Patent Document 1> Japanese Patent Laid-Open Publication No.2002-084383

<Patent Document 2> Japanese Patent Laid-Open Publication No.2004-122778

Some of the functions of the complex devices and multifunction devicesuse “user information”. For example, when the complex devices and themultifunction devices are used as scanners or facsimiles, “userinformation” such as mail address and facsimile telephone numbers isused. Although the complex devices and the multifunction devicesgenerally have management functions for managing such user information,it would be useful for the complex devices and the multifunction devicesto have acquisition functions for acquiring such user information from“servers”. LDAP (Lightweight Directory Access Protocol) servers are atypical example of such “servers”.

In LDAP, persons and organizations are recognized as “objects”.Information about an individual object is stored in an entry forinformation management. The entry contains an “object class”, which isinformation about the type of the object, and an “attribute” which isinformation about object characteristics. The attribute consists of“attribute types” such as c (country), o (organization), ou(organization unit), cn (common name), sn (last name), givenName (firstname), uid (user ID), userPassword (user password), mail (mail address),and facsimileTelephoneNumber (facsimile telephone number), and“attribute values” such as c:Japan/o:Ricoh/ou:R&D division/cn:TaroSuzuki/sn:Suzuki/givenName:Taro. Each entry has a hierarchical structureaccording to its object class. A distinguished name (DN) of the entry isformed from hierarchically ordered relative distinguished names (RDNs)from its attributes (identification attributes).

Various requests and responses are exchanged between LDAP servers andLDAP clients. LDAP supports authentication related operations (e.g.bind, unbind), query related operations (e.g. search, compare), updaterelated operations (add, delete, modify), referrals (a function where anLDAP server refers an LDAP client to another LDAP server), and chaining(a function where an LDAP server contacts another LDAP server). Forexample, if an LDAP client sends a search request for a search operationto an LDAP server, the LDAP server sends a response (search result) tothe LDAP client using referrals and chaining as necessary.

As information processing functions of complex devices and multifunctiondevices have become more sophisticated, more and more complex devicesand multifunction devices are configured to support user authentication.Examples of the user authentication supported by the complex devices andthe multifunction devices include “local authentication” performed bythe complex devices and the multifunction devices, and “remoteauthentication” performed by authentication servers (e.g. LDAPauthentication and NT authentication performed by LDAP servers and NTservers).

Also, as information processing functions of complex devices andmultifunction devices have become more sophisticated, more and morecomplex devices and multifunction devices are configured to support userestriction operations. It would be convenient if use restrictions ofthe functions of the complex devices and the multifunction devices couldbe enforced a per-user group basis (e.g. permission to use the devicesis granted to users belonging to a company but not granted to users notbelonging to the company). For instance, in the case of complex devicesand multifunction devices that use LDAP authentication, users may bedivided into groups based on their LDAP attributes such that userestrictions may be set in the devices on a per-user group basis. If so,although the user groups can be customized in detail, it is difficultfor an operator unfamiliar with LDAP attribute to divide the users intogroups. Therefore, there has been a demand for a method of easilygrouping users and setting use restrictions on a per-user group basis.

SUMMARY OF THE INVENTION

The present invention may solve at least one problem described above.

According to an aspect of the present invention, there is provided amethod of easily grouping users and enforcing use restrictions on aper-user group basis so as to restrict use of functions of a“communication apparatus” such as an image forming apparatus and aninformation processing apparatus.

According to another aspect of the present invention, there is provideda communication apparatus operating as a client of a first server havinga referral function for referring the communication apparatus to asecond server that performs an operation requested by the communicationapparatus, the communication apparatus comprising a requesting unit thatsends, to the first server or the second server that manages informationabout a user of the communication apparatus, a request for the operationfor applying a use restriction of one or more functions of thecommunication apparatus, a setting unit that determines whether toenable or disable a referral using the referral function, and a userestricting unit that applies the use restriction of one or morefunctions of the communication apparatus according to a response to therequest sent from the requesting unit and the determination by thesetting unit.

According to still another aspect of the present invention, there isprovided a communication method performed by a communication apparatusoperating as a client of a first server, the first serer having areferral function for referring the communication apparatus to a secondserver that performs an operation requested by the communicationapparatus, the method comprising a requesting step of sending, to thefirst server or the second server that manages information about a userof the communication apparatus, a request for the operation for applyinga use restriction of one or more functions of the communicationapparatus, a setting step of determining whether to enable or disable areferral using the referral function, and a use restricting step ofapplying the use restriction of one or more functions of thecommunication apparatus according to a response to the request sent inthe requesting step and the determination in the setting step.

According to a further aspect of the present invention, there isprovided a recording medium storing a program executable by acommunication apparatus operating as a client of a first server having areferral function for referring the communication apparatus to a secondserver that performs an operation requested by the communicationapparatus, the program comprising a requesting instruction for sending,to the first server or the second server that manages information abouta user of the communication apparatus, a request for the operation forapplying a use restriction of one or more functions of the communicationapparatus, a setting instruction for determining whether to enable ordisable a referral using the referral function, and a use restrictinginstruction for applying the use restriction of one or more functions ofthe communication apparatus according to a response to the request sentaccording to the requesting instruction and the determination accordingto the setting instruction.

According to another further aspect of the present invention, there isprovided a communication method for use in a first server having areferral function for referring a communication apparatus to a secondserver that performs an operation requested by the communicationapparatus, and in the communication apparatus operating as a client ofthe first server, the method comprising a requesting step of causing thecommunication apparatus to send, to the first server or the secondserver that manages information about a user of the communicationapparatus, a request for the operation for applying a use restriction ofone or more functions of the communication apparatus, a setting step ofcausing the communication apparatus to determine whether to enable ordisable a referral using the referral function, and a use restrictingstep of causing the communication apparatus to apply the use restrictionof one or more functions of the communication apparatus according to aresponse to the request sent in the requesting step and thedetermination in the setting step.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram illustrating a software configuration of amultifunction device according to an embodiment of the presentinvention;

FIG. 2 is a block diagram illustrating a hardware configuration of amultifunction device according to an embodiment of the presentinvention;

FIG. 3 is a schematic diagram illustrating a network including amultifunction device according to an embodiment of the presentinvention;

FIG. 4 is a conceptual diagram illustrating information management byLDAP servers and NT servers;

FIGS. 5A-5C are tables showing examples of use restriction setting andreferral setting;

FIGS. 6A-6C are screens used for use restriction setting and referralsetting;

FIG. 7 is a sequence diagram illustrating a first example of the processflow of authentication (LDAP authentication);

FIG. 8 is a sequence diagram illustrating a second example of theprocess flow of authentication (LDAP authentication);

FIG. 9 is a sequence diagram illustrating a third example of the processflow of authentication (NT authentication);

FIG. 10 is a sequence diagram illustrating a fourth example of theprocess flow of authentication (NT authentication);

FIG. 11 is a flowchart illustrating a use restriction operation;

FIG. 12 is a sequence diagram illustrating steps taken when anauthentication operation and a use restriction operation are separatelyperformed;

FIG. 13 is a sequence diagram illustrating steps taken when anauthentication operation and a use restriction operation are jointlyperformed;

FIGS. 14A-14C show examples of an authentication screen, a copierapplication screen, and a scanner application screen;

FIG. 15 is a sequence diagram illustrating a modified example of FIGS.12 and 13;

FIG. 16 is a flowchart showing a color copying charging operation;

FIG. 17 is a flowchart showing a monochrome copying charging operation;and

FIGS. 18A-18C show examples of an authentication screen, a requestscreen, and a restriction screen.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT

FIG. 1 is a block diagram illustrating a software configuration of amultifunction device 101 according to an embodiment of the presentinvention. The multifunction device 101 comprises various applications111, various platforms 112, and an operating system 113.

The applications 111 include a copier application 121 having a copyfunction, a printer application 122 having a printer function, a scannerapplication 123 having a scanner function, and a facsimile application124 having a facsimile function.

The platforms 112 include a communication management module 131 forcommunication management, a document management module 132 for documentmanagement, an engine management module 133 for engine management, anoperations panel management module 134 for operations panel management,a memory management module 135 for memory management, an authenticationmanagement module 136 for authentication management, a user informationmanagement module 137 for user information management, and a systemmanagement module 138 for system management.

FIG. 2 is a block diagram illustrating a hardware configuration of themultifunction device 101 according to an embodiment of the presentinvention. The multifunction device 101 further comprises an imagingunit 201, a printing unit 202, a facsimile control unit 203, a CPU 211,an ASIC 212, a RAM 213, a ROM 214, a HDD 215, a NIC 221, and anoperations panel 222.

The imaging unit 201 scans images from originals. The printing unit 202prints images on paper. The facsimile control unit 203 controls thefacsimile functions. The CPU 211 is an integrated circuit that processesvarious information items. The ASIC 212 is an integrated circuit thatprocesses various images. The RAM 213 is a memory (volatile memory)within the multifunction device 101. The ROM 214 is a memory(nonvolatile memory). The HDD 215 is storage within the multifunctiondevice 101. The NIC 221 is a communication unit as a network interfaceof the multifunction device 101. The operations panel 222 is anoperations display unit as a user interface of the multifunction device101.

The applications 111, the platforms 112, and the operating system 113 ofFIG. 1 are stored in the ROM 214 and the HDD 215 of FIG. 2.

FIG. 3 is a schematic diagram illustrating a network including themultifunction device 101 according to an embodiment of the presentinvention. The multifunction device 101 is connected to an LDAP server301A, an LDAP server 301B, an LDAP server 301C, an NT server 302A, an NTserver 302B, and an NT server 302C over the network.

The LDAP servers 301 and the NT servers 302 store information about, forexample, members of an R&D division as shown in FIG. 4. The LDAP server301A and the NT server 302A manage information about, for example,members of a PF development group of the R&D division. The LDAP server301B and the NT server 302B manage information about, for example,members of a C&F development group of the R&D division. The LDAP server301C and the NT server 302C consolidate the information about themembers of the R&D division.

In this embodiment, the NT server 302A corresponds to a domaincontroller (DC) for a domain for the PF development group of the R&Ddivision. The NT server 302B corresponds to a domain controller (DC) fora domain for the C&F development group of the R&D division. The NTserver 302C corresponds to a domain controller (DC) for a domain for theR&D division. The NT servers 302A, 302B, and 302C include ActiveDirectory (AD). Accordingly, the LDAP servers 301A, 301B, and 301C andthe NT servers 302A, 302B, and 302C support “LDAP” as a communicationprotocol.

Moreover, both the LDAP servers 301 and the NT servers 302 support LDAPreferrals. For example, when the multifunction device 101 sends arequest for an operation to the LDAP server 301A or the NT server 302A,the LDAP server 301A or the NT server 302A refers the multifunctiondevice 101 to another server (the LDAP server 301B or 301C, or the NTserver 302B or 302C) depending on the result of the operation.

In the multifunction device 101, use restrictions of the functions ofthe multifunction device 101 can be imposed (use restriction setting).Further, in the multifunction device 101, LDAP referrals forauthentication operations for performing operations of restricting theuse of the functions of the multifunction device 101 can be enabled ordisabled (referral setting).

FIGS. 5A-5C are tables showing examples of the use restriction settingand the referral setting. In the multifunction device 101, the userestriction and the referral settings may be made for the multifunctiondevice 101 as shown in FIG. 5A. In an alternative embodiment, the userestriction setting and the referral setting may be made on aper-function basis of the multifunction device 101 as shown in FIG. 5B.In a further alternative embodiment, the use restriction setting and thereferral setting may be made on a per-user basis of the multifunctiondevice 101 as shown in FIG. 5C. In a further alternative embodiment, theuse restriction setting and the referral setting may be made on theper-function basis and on the per-user basis of the multifunction device101 (i.e., for each combinations of the items in FIG. 5B and the itemsFIG. 5C). If the settings are made on the per-function basis, “userestriction setting: permitted, referral setting: enabled” may beapplied to one function while “use restriction setting: not permitted,referral setting: disabled” may be applied to another function. If thesettings are made on a per-user basis, “use restriction setting:permitted, referral setting: enabled” may be applied to one user while“use restriction setting: not permitted, referral setting: disabled” maybe applied to another user.

FIGS. 6A-6C are screens used for use restriction setting and referralsetting. FIG. 6A shows a selection screen used for selecting whether toset use restrictions. When “YES” is selected in the screen of FIG. 6A,the screen switches to the screens of FIGS. 6B and 6C. The screens ofFIGS. 6B and 6C are setting screens used for the use restriction settingand the referral setting on the per-function basis. When the userestriction setting and the referral setting are made on theper-function basis and “OK” is pressed, the authentication managementmodule 136 applies the use restriction setting and the referral settingon the per-function basis to the multifunction device 101.

The following describes operations of authenticating users of themultifunction device 101 and operations of restricting the use of thefunctions of the multifunction device 101. The multifunction device 101sends the LDAP servers 301 and the NT servers 302, which manageinformation about the users of the multifunction device 101, requestsfor, for example, authentication operations for performing operations ofrestricting the use of the functions of the multifunction device 101.The following describes the case where a member of the C&F developmentgroup of the R&D division attempts to use the multifunction device 101owned by the PF development group of the R&D division.

FIG. 7 is a sequence diagram illustrating a first example of the processflow of authentication (LDAP authentication).

First, the authentication management module 136 sends a userauthentication request to the LDAP server 301A together withauthentication information (user name and password) of the user of themultifunction device 101 input to the multifunction device 101 (SlOl).In response to the user authentication request, the LDAP server 301Areturns an error message to the authentication management module 136(S102). In this step, the LDAP server 301A refers the multifunctiondevice 101 to the LDAP server 301B as the destination of theauthentication request. Then, the authentication management module 136saves the authentication result at the time referrals are disabled as“authentication failed” (S103).

Then, the authentication management module 136 sends the userauthentication request to the LDAP server 301B together with theauthentication information (user name and password) of the user of themultifunction device 101 input to the multifunction device 101 (S111).In response to the user authentication request, the LDAP server 301Bsends an authentication certificate to the authentication managementmodule 136 (S112). Then, the authentication management module 136 sendsan acquisition request for user identification information of the userto the LDAP server 301B (S113). In response to the acquisition requestfor user identification information of the user, the LDAP server 301Bsends the user identification information (user ID) of the user to theauthentication management module 136 (S114). Then, the authenticationmanagement module 136 saves the authentication result at the timereferral are enabled as “authentication successful” (S115).

Subsequently, the authentication management module 136 sends the userinformation management module 137 an acquisition request for userestriction information indicating the use restrictions of the functionsof the multifunction device 101 together with the user identificationinformation and the authentication information (user ID, user name, andpassword) of the user (S121). In response to the acquisition request foruse restriction information indicating the use restrictions of thefunctions of the multifunction device 101, the user informationmanagement module 137 sends the authentication management module 136 theuse restriction information (the use restriction settings shown in FIGS.5B, 6B, and 6C), which is stored in the multifunction device 101,indicating the use restrictions of the functions of the multifunctiondevice 101 (S122). In this step, the referral settings shown in FIGS.5B, 6B, and 6C are sent together with the use restriction settings shownin FIGS. 5B, 6B, and 6C. If the use restriction settings or the referralsettings cannot be acquired, the user identification information and theauthentication information of the user may be saved in the multifunctiondevice 101 (S123, S124, and S125). Saving the user identificationinformation and the authentication information of the user allows themultifunction device 101 to create the entry for the user in advance incase use restriction settings and referral settings are made on aper-user basis.

Then, the authentication management module 136 performs operations ofrestricting the use of the functions of the multifunction device 101based on the authentication result, the use restriction settings, andthe referral settings (S131). The operations performed in step S131 aredescribed below in greater detail with reference to FIG. 11. In analternative embodiment, steps S113 and S114 may be omitted. If stepsS113 and S114 are omitted, the user identification information may beunnecessary in step S121, and accordingly steps S123, S124, and S125 maybe omitted.

FIG. 8 is a sequence diagram illustrating a second example of theprocess flow of authentication (LDAP authentication).

First, the authentication management module 136 sends a userauthentication request to the LDAP server 301A together withauthentication information (user name and password) of the user of themultifunction device 101 input to the multifunction device 101 (S201).In response to the user authentication request, the LDAP server 301Areturns an error to the authentication management module 136 (S202). Inthis step, the LDAP server 301A refers the multifunction device 101 tothe LDAP server 301B as the destination of the authentication request.

Then, the authentication management module 136 determines whether tosend the authentication request to the LDAP server 301B based on whetherthe referral setting is “enabled” or “disabled” (S211). If the referralsetting is “enabled”, the authentication management module 136 sends theuser authentication request to the LDAP server 301B together with theauthentication information of the user of the multifunction device 101input to the multifunction device 101 (S212). In response to the userauthentication request, the LDAP server 301B sends an authenticationcertificate to the authentication management module 136 (S213). Then,the authentication management module 136 sends an acquisition requestfor user identification information of the user to the LDAP server 301B(S214). In response to the acquisition request for user identificationinformation of the user, the LDAP server 301B sends the useridentification information (user ID) of the user to the authenticationmanagement module 136 (S215). If the referral setting is “disabled”,operations of steps S212, S213, S214, and S215 are not performed,thereby making the processing in the second example faster than theprocessing in the first example.

Subsequently, the authentication management module 136 sends the userinformation management module 137 an acquisition request for userestriction information indicating the use restrictions of the functionsof the multifunction device 101 together with the user identificationinformation and the authentication information (user ID, user name, andpassword) of the user (S221). In response to the acquisition request foruse restriction information indicating the use restrictions of thefunctions of the multifunction device 101, the user informationmanagement module 137 sends the authentication management module 136 theuse restriction information (the use restriction settings shown in FIGS.5B, 6B, and 6C), which is stored in the multifunction device 101,indicating the use restrictions of the functions of the multifunctiondevice 101 (S222). In this step, the referral settings shown in FIGS.5B, 6B, and 6C are sent together with the use restriction settings shownin FIGS. 5B, 6B, and 6C. If the use restriction settings or the referralsettings cannot be acquired, the user identification information and theauthentication information of the user may be saved in the multifunctiondevice 101 (S223, S224, and S225). Saving the user identificationinformation and the authentication information of the user allows themultifunction device 101 to create the entry for the user in advance incase use restriction settings and referral settings are made on aper-user basis.

Then, the authentication management module 136 performs operations ofrestricting the use of the functions of the multifunction device 101based on the authentication result, the use restriction settings, andthe referral settings (S231). The operations performed in step S231 aredescribed below in greater detail with reference to FIG. 11. In analternative embodiment, steps S214 and S215 may be omitted. If stepsS214 and S215 are omitted, the user identification information may beunnecessary in step S221, and accordingly steps S223, S224, and S225 maybe omitted.

FIG. 9 is a sequence diagram illustrating a third example of the processflow of authentication (NT authentication).

First, the authentication management module 136 sends a userauthentication request to the NT server 302A (DC or AD) together withauthentication information (user name and password) of the user of themultifunction device 101 input to the multifunction device 101 (S301).In response to the user authentication request, the NT server 302A sendsan authentication certificate to the authentication management module136 (S302). Then, the authentication management module 136 sends anacquisition request for user identification information of the user tothe NT server 302A (S303). In response to the acquisition request foruser identification information of the user, the NT server 302A returnsan error to the authentication management module 136 (S304). In thisstep, the NT server 302A refers the multifunction device 101 to the NTserver 302B as the destination of the acquisition request for useridentification information. Then, the authentication management module136 saves the authentication result at the time referrals are disabledas “authentication failed” (S305).

Then, the authentication management module 136 sends the acquisitionrequest for user identification information of the user to the NT server(AD) 302B (S311). In response to the acquisition request for useridentification information of the user, the NT server 302B sends theuser identification information (user ID) of the user to theauthentication management module 136 (S312). Then, the authenticationmanagement module 136 saves the authentication result at the timereferrals are enabled as “authentication successful” (S313).

Subsequently, the authentication management module 136 sends the userinformation management module 137 an acquisition request for userestriction information indicating the use restrictions of the functionsof the multifunction device 101 together with the user identificationinformation and the authentication information (user ID, user name, andpassword) of the user (S321). In response to the acquisition request foruse restriction information indicating the use restrictions of thefunctions of the multifunction device 101, the user informationmanagement module 137 sends the authentication management module 136 theuse restriction information (the use restriction settings shown in FIGS.5B, 6B, and 6C), which is stored in the multifunction device 101,indicating the use restrictions of the functions of the multifunctiondevice 101 (S322). In this step, the referral settings shown in FIGS.5B, 6B, and 6C are sent together with the use restriction settings shownin FIGS. 5B, 6B, and 6C. If the use restrictions setting or the referralsettings cannot be acquired, the user identification information and theauthentication information of the user may be saved in the multifunctiondevice 101 (S323, S324, and S325). Saving the user identificationinformation and the authentication information of the user allows themultifunction device 101 to create the entry for the user in advance incase use restriction settings and referral settings are made on aper-user basis.

Then, the authentication management module 136 performs operations ofrestricting the use of the functions of the multifunction device 101based on the authentication result, the use restriction settings, andthe referral settings (S331). The operations performed in step S331 aredescribed below in greater detail with reference to FIG. 11. In analternative embodiment, the user identification information may beunnecessary in step S321, and accordingly steps S323, S324, and S325 maybe omitted.

FIG. 10 is a sequence diagram illustrating a fourth example the processflow of authentication (NT authentication).

First, the authentication management module 136 sends a userauthentication request to the NT server 302A (DC or AD) together withauthentication information (user name and password) of the user of themultifunction device 101 input to the multifunction device 101 (S401).In response to the user authentication request, the NT server 302A sendsan authentication certificate to the authentication management module136 (S402). Then, the authentication management module 136 sends anacquisition request for user identification information of the user tothe NT server 302A (S403). In response to the acquisition request foruser identification information of the user, the NT server 302A returnsan error to the authentication management module 136 (S404). In thisstep, the NT server 302A refers the multifunction device 101 to the NTserver 302B as the destination of the acquisition request for useridentification information.

Then, the authentication management module 136 determines whether tosend the acquisition request for user identification information to theNT server (AD) 302B based on whether the referral setting is “enabled”or “disabled” (S411). If the referral setting is “enabled”, theauthentication management module 136 sends the acquisition request foruser identification information of the user to the NT server 302B(S412). In response to the acquisition request for user identificationinformation of the user, the NT server 302B sends the useridentification information (user ID) of the user to the authenticationmanagement module 136 (S413). If the referral setting is “disabled”,operations of steps S412 and S413 are not performed, thereby making theprocessing in the fourth example faster than the processing in the thirdexample.

Subsequently, the authentication management module 136 sends the userinformation management module 137 an acquisition request for userestriction information indicating the use restrictions of the functionsof the multifunction device 101 together with the user identificationinformation and the authentication information (user ID, user name, andpassword) of the user (S421). In response to the acquisition request foruse restriction information indicating the use restrictions of thefunctions of the multifunction device 101, the user informationmanagement module 137 sends the authentication management module 136 theuse restriction information (the use restriction settings shown in FIGS.5B, 6B, and 6C), which is stored in the multifunction device 101,indicating the use restrictions of the functions of the multifunctiondevice 101 (S422). In this step, the referral settings shown in FIGS.5B, 6B, and 6C are sent together with the use restriction settings shownin FIGS. 5B, 6B, and 6C. If the use restriction settings or the referralsettings cannot be acquired, the user identification information and theauthentication information of the user may be saved in the multifunctiondevice 101 (S423, S424, and S425). Saving the user identificationinformation and the authentication information of the user allows themultifunction device 101 to create the entry for the user in advance incase use restriction settings and referral settings are made on aper-user basis.

Then, the authentication management module 136 performs operations ofrestricting the use of the functions of the multifunction device 101based on the authentication result, the use restriction settings, andthe referral settings (S431). The operations performed in step S431 aredescribed below in greater detail with reference to FIG. 11. In analternative embodiment, the user identification information may beunnecessary in step S421, and accordingly steps S423, S424, and S425 maybe omitted.

FIG. 11 is a flowchart illustrating a use restriction operation. The userestriction operation of FIG. 11 corresponds to the use restrictionoperations in step S131, S231, S331, and S431 of FIGS. 7, 8, 9, and 10.

The authentication management module 136 refers to the referral settingof one function of the multifunction device 101 (S501). If the referralsetting of the function is “enabled”, the authentication result at thetime referrals are enabled is acquired (S502). On the other hand, if thereferral setting of the function is “disabled”, the authenticationresult at the time referrals are disabled is acquired (S503). In theexamples of FIG. 7 and FIG. 9, the authentication results saved stepS115 and step S313 correspond to the authentication results acquired instep S502, and the authentication results acquired in step S103 and stepS305 correspond to the authentication results acquired in step S503. Inthe examples of FIG. 8 and FIG. 10, the acquisition of theauthentication results of step S502 and S503 are already substantiallyperformed as in steps S211 and S411.

The referral setting in this example is as shown in Table A of FIG. 11.This setting is the same as the setting shown in FIG. 5B. Theauthentication results at the time referrals are enabled and disabledare as shown in Table B of FIG. 11. The authentication results shown inTable B are the same as the authentication results in the examples ofFIGS. 7, 8, 9, and 10. Accordingly, the authentication results acquiredin steps S502 and S503 are as shown in Table C of FIG. 11.

The authentication management module 136 then refers to theauthentication results acquired in steps S502 and S503 (S511). If theauthentication result of the function is “failed”, the use “notpermitted” is applied (use restriction B). On the other hand, if theauthentication result is “successful”, the use restriction setting ofthe function is referred to (S512). If the use restriction setting ofthe function is “not permitted”, the use “not permitted” is applied (userestriction B). On the other hand, if the use restriction setting of thefunction is “permitted”, the use “permitted” is applied (use restrictionA). Theses operations are performed for each of the functions of themultifunction device 101 (S513).

The use restriction setting in this example is as shown in Table D ofFIG. 11. This setting is the same as the use restriction setting shownin FIG. 5B. Accordingly, the use restrictions to be applied to thefunctions of the multifunction device 101 are as shown in Table E ofFIG. 11.

In the authentication operations shown in FIGS. 7, 8, 9, and 10 and theuse restriction operation shown in FIG. 11, the use restrictionoperations for the functions of which referral settings are “enabled”are performed according to the authentication result from the LDAPserver 301A (NT server 302A) and the authentication result from the LDAPserver 301B (NT server 302B). On the other hand, the use restrictionoperations for the functions of which referral settings are “disabled”are performed according to authentication result from the LDAP server301A (NT server 302A), but regardless of the authentication result fromthe LDAP server 301B (NT server 302B). In this embodiment, theauthentication result from the LDAP server 301A (NT server 302A), whichmanages the information about the members of the PF development group,is “successful” only when the user is a member of the PF developmentgroup. That is, by setting the use restriction setting and the referralsetting of one function to “permitted” and “disabled”, respectively, theuse permission of that function is given only to the members of the PFdevelopment group. As described above, the multifunction device 101 isconfigured such that users can be divided into groups by only setting“enabled” or “disabled” in the referral setting. Further, the userestrictions can be imposed on a per-user group basis by only setting“permitted” or “not permitted” in the use restriction setting. Themultifunction device 101 is advantageous because LDAP servers and NTserves generally manage user information on a user group basis (on aper-company basis, on a per-division basis, on a per-location basis,etc.).

As described above, if the referral setting is enabled, themultifunction device 101 performs operations of restricting the use ofthe functions of the multifunction device 101 according to the responseto the authentication request sent from the LDAP server 301B (NT server302B) to which the LDAP server 301A (NT server 302A) referred themultifunction device 101. On the other hand, if the referral setting isdisabled, the multifunction device 101 performs operations ofrestricting the use of the functions of the multifunction device 101regardless of the response to the authentication request sent from LDAPserver 301B (NT server 302B) to which the LDAP server 301A (NT server302A) referred the multifunction device 101.

FIG. 12 is a sequence diagram illustrating steps taken when anauthentication operation and a use restriction operation are performedseparately by individual applications. The following describes the casewhere the copier application 121 having the copy function and thescanner application 123 having the scanner function are present.

When the multifunction device 101 is started, the copier application 121shows an authentication screen (S601). Then, the authenticationinformation of a user who attempts to use the multifunction device 101is input (S602), so that the copier application 121 sends theauthentication management module 136 a query for the use restrictions ofthe functions of the multifunction device 101 (S603). Then, theauthentication management module 136 performs one of the authenticationoperations of FIGS. 7, 8, 9 and 10, and the use restriction operation ofFIG. 11 for the copy function of the copier application 121 (S604). Theauthentication management module 136 sends the copier application 121 ause restriction of the corresponding function of the multifunctiondevice 101 to be applied, indicating “copy function: permitted” (S605).Upon reception of the use restriction of the corresponding function ofthe multifunction device 101 to be applied, indicating “copy function:permitted”, the copier application 121 shows a copier application screen(S606).

When a scanner button on the operations panel 222 is pressed (S611) inorder to switch from the copier application screen (copy function) to ascanner application screen (scanner function), the scanner application123 sends the authentication management module 136 a query for the userestrictions of the functions of the multifunction device 101 (S612).Then, the authentication management module 136 performs one of theauthentication operations of FIGS. 7, 8, 9 and 10, and the userestriction operation of FIG. 11 for the scanner function of the scannerapplication 123 (S613). The authentication management module 136 sendsthe scanner application 123 a use restriction of the correspondingfunction of the multifunction device 101 to be applied, indicating“scanner function: not permitted” (S614). Upon reception of the userestriction of the corresponding function of the multifunction device101 to be applied, indicating “scanner function: not permitted”, thescanner application 123 shows a scanner application screen(use-not-permitted screen) (S615)

It is to be noted that the queries in step S603 and S612 are senttogether with the authentication information input in the authenticationscreen. The authentication screen may be therefore shown again whenswitching the screens (functions).

FIG. 13 is a sequence diagram illustrating steps taken when anauthentication operation and a use restriction operation are performedjointly by all the applications. The following describes the case wherethe copier application 121 having the copy function and the scannerapplication 123 having the scanner function are present.

When the multifunction device 101 is started, the authenticationmanagement module 136 shows the authentication screen (S701). Then, theauthentication information of a user who attempts to use themultifunction device 101 is input (S702), so that the authenticationmanagement module 136 performs one of the authentication operations ofFIGS. 7 and 9, and the use restriction operation of FIG. 11 for the copyfunction of the copier application 121 (S703).

When a copy button on the operations panel 222 is pressed (S711) inorder to switch to the copier application screen (copy function) thecopier application 121 sends the authentication management module 136 aquery for the use restrictions of the functions of the multifunctiondevice 101 (S712). The authentication management module 136 sends thecopier application 121 a use restriction of the corresponding functionof the multifunction device 101 to be applied, indicating “copyfunction: permitted” (S713). Upon reception of the use restriction ofthe corresponding function of the multifunction device 101 to beapplied, indicating “copy function: permitted”, the copier application121 shows a copier application screen (S714).

If the scanner button on the operations panel 222 is pressed (S721) inorder to switch to the scanner application screen (scanner function),the scanner application 123 sends the authentication management module136 a query for the use restrictions of the functions of themultifunction device 101 (S722). The authentication management module136 sends the scanner application 123 a use restriction of thecorresponding function of the multifunction device 101 to be applied,indicating “scanner function: not permitted” (S723). Upon reception ofthe use restriction of the corresponding function of the multifunctiondevice 101 to be applied, indicating “scanner function: not permitted”,the scanner application 123 shows the scanner application screen(use-not-permitted screen) (S724).

In place of sending queries for the use restriction of the correspondingfunctions of the multifunction device 101 from the copier application121 and the scanner application 123 to the authentication managementmodule 136 and returning the use restriction to be applied fromauthentication management module 136, the authentication managementmodule 136 may deliver tickets to the copier application 121 and thescanner application 123.

FIGS. 14A-14C show examples of the authentication screen, the copierapplication screen, and the scanner application screen(use-not-permitted screen) of FIGS. 12 and 13;

FIG. 15 is a sequence diagram illustrating a modified example of FIGS.12 and 13.

When the multifunction device 101 is started, the copier application 121shows an authentication screen (S801). Then, the authenticationinformation of a user who attempts to use the multifunction device 101is input (S802), so that the copier application 121 sends a userauthentication request to the authentication management module 136(S803). Then, the authentication management module 136 performs one ofthe authentication operations of FIGS. 7, 8, 9 and 10 for the copyfunction of the copier application 121 (S804). In response to the userauthentication request, the authentication management module 136 sendsthe copier application 121 the authentication result at the timereferrals are enabled, which is “authentication successful” and theauthentication result at the time referrals are disabled, which is“authentication failed” (S805).

When a start button on the operations panel 222 is pressed (S811) in acolor copying mode, the copier application 121 performs a color copyingcharging operation (S812) and then performs a color copying operation(S813). When a start button on the operations panel 222 is pressed(S821) in a monochrome copying mode, the copier application 121 performsa monochrome copying charging operation (S822) and then performs amonochrome copying operation (S823).

FIG. 16 is a flowchart showing the color copying charging operation ofstep S812.

The authentication management module 136 refers to the authenticationresult at the time referrals are disabled (S11). If the authenticationresult at the time referrals are disabled is “successful”, theauthentication management module 136 charges a server corresponding tothe LDAP server 301A or the NT server 302A (S12). If the authenticationresult at the time referrals are disabled is “failed”, theauthentication management module 136 refers to the authentication resultat the time referrals are enabled (S13). If the authentication result atthe time referrals are enabled is “successful”, a request screen thatrequests insertion of coin (fee) is displayed (S14). If theauthentication result at the time referrals are enabled is “failed”, arestriction screen that indicates that the use is not permitted isdisplayed (S15).

FIG. 17 is a flowchart showing a monochrome copying charging operationof step S822.

The authentication management module 136 refers to the authenticationresult at the time referrals are disabled (S21). If the authenticationresult at the time referrals are disabled is “successful”, theauthentication management module 136 charges a server corresponding tothe LDAP server 301A or the NT server 302A (S22). If the authenticationresult at the time referrals are disabled is “failed”, theauthentication management module 136 refers to the authentication resultat the time referrals are enabled (S23). If the authentication result atthe time referrals are enabled is “successful”, the authenticationmanagement module 136 charges a server corresponding to the LDAP server301B or the NT server 302B (S24). If the authentication result at thetime referrals are enabled is “failed”, the request screen that requestsinsertion of coin (fee) is displayed (S25).

FIGS. 18A-18C show examples of the authentication screen, the requestscreen, and the restriction screen of FIGS. 15, 16, and 17.

The present application is based on Japanese Priority Application No.2005-002652 filed on Jan. 7, 2005, with the Japanese Patent Office, theentire contents of which are hereby incorporated by reference.

1. A communication apparatus operating as a client of a first serverhaving a referral function for referring the communication apparatus toa second server that performs an operation requested by thecommunication apparatus, comprising: a requesting unit that sends, tothe first server or the second server that manages information about auser of the communication apparatus, a request for the operation forapplying a use restriction of one or more functions of the communicationapparatus; a setting unit that determines whether to enable or disable areferral using the referral function; and a use restricting unit thatapplies the use restriction of one or more functions of thecommunication apparatus according to a response to the request sent fromthe requesting unit and the determination by the setting unit.
 2. Thecommunication apparatus as claimed in claim 1, wherein the requestingunit sends the request for the operation together with authenticationinformation of the user input to the communication apparatus.
 3. Thecommunication apparatus as claimed in claim 1, wherein the userestricting unit applies the use restriction of one or more functions ofthe communication apparatus based on use restriction information,indicating the use restrictions of one or more functions of thecommunication apparatus, stored in the communication apparatus.
 4. Thecommunication apparatus as claimed in claim 1, wherein the userestricting unit applies the use restriction of one or more functions ofthe communication apparatus according to the response to the requestsent to the second server to which the first server has referred thecommunication apparatus using the referral function if the referralusing the referral function is enabled, and applies the use restrictionof one or more functions of the communication apparatus regardless ofthe response to the request sent to the second server to which the firstserver referred the communication apparatus using the referral functionif the referral using the referral function is disabled.
 5. Thecommunication apparatus as claimed in claim 1, wherein the setting unitdetermines whether to enable or disable the referral using the referralfunction on a per-function basis of the communication apparatus.
 6. Thecommunication apparatus as claimed in claim 1, wherein the setting unitdetermines whether to enable or disable the referral using the referralfunction on a per-user basis of the communication apparatus.
 7. Thecommunication apparatus as claimed in claim 1, wherein the setting unitdetermines whether to enable or disable the referral using the referralfunction on a per-function basis and on a per-user basis of thecommunication apparatus.
 8. The communication apparatus as claimed inclaim 1, wherein the use restriction of a first function of thefunctions of the communication apparatus to be applied is determinedwhen switching to the first function from a second function of thefunctions of the communication apparatus.
 9. The communication apparatusas claimed in claim 1, wherein the information about the user of thecommunication apparatus contained in the response to the request sentfrom the requesting unit is saved in the communication apparatus. 10.The communication apparatus as claimed in claim 1, wherein determinationwhether to send the request for the operation to the second server ismade based on whether the referral using the referral function isenabled or disabled when the first server refers the communicationapparatus to the second server as the response to the request sent fromthe requesting unit.
 11. The communication apparatus as claimed in claim1, wherein the first and second servers are LDAP servers or NT servers.12. A communication method performed by a communication apparatusoperating as a client of a first server having a referral function forreferring the communication apparatus to a second server that performsan operation requested by the communication apparatus, comprising: arequesting step of sending, to the first server or the second serverthat manages information about a user of the communication apparatus, arequest for the operation for applying a use restriction of one or morefunctions of the communication apparatus; a setting step of determiningwhether to enable or disable a referral using the referral function; anda use restricting step of applying the use restriction of one or morefunctions of the communication apparatus according to a response to therequest sent in the requesting step and the determination in the settingstep.
 13. The communication method as claimed in claim 12, wherein therequest for the operation is sent together with authenticationinformation of the user input to the communication apparatus in therequesting step.
 14. The communication method as claimed in claim 12,wherein the use restriction of one or more functions of thecommunication apparatus is applied based on use restriction information,indicating the use restrictions of one or more functions of thecommunication apparatus, stored in the communication apparatus in theuse restricting step.
 15. The communication method as claimed in claim12, wherein the use restriction of one or more functions of thecommunication apparatus is applied according to the response to therequest sent to the second server to which the first server has referredthe communication apparatus using the referral function if the referralusing the referral function is enabled, and is applied regardless of theresponse to the request sent to the second server to which the firstserver referred the communication apparatus using the referral functionif the referral using the referral function is disabled in the userestricting step.
 16. The communication method as claimed in claim 12,wherein whether to enable or disable the referral using the referralfunction is determined on a per-function basis of the communicationapparatus in the setting step.
 17. The communication method as claimedin claim 12, wherein whether to enable or disable the referral using thereferral function is determined on a per-user basis of the communicationapparatus in the setting step.
 18. The communication method as claimedin claim 12, wherein whether to enable or disable the referral using thereferral function is determined on a per-function basis and on aper-user basis of the communication apparatus in the setting step. 19.The communication method as claimed in claim 12, wherein the userestriction of a first function of the functions of the communicationapparatus to be applied is determined when switching to the firstfunction from a second function of the functions of the communicationapparatus.
 20. The communication method as claimed in claim 12, whereinthe information about the user of the communication apparatus containedin the response to the request sent in the requesting step is saved inthe communication apparatus.
 21. The communication method as claimed inclaim 12, wherein determination whether to send the request for theoperation to the second server is made based on whether the referralusing the referral function is enabled or disabled when the first serverrefers the communication apparatus to the second server as the responseto the request sent in the requesting step.
 22. The communication methodas claimed in claim 12, wherein the first and second servers are LDAPservers or NT servers.
 23. A recording medium storing a programexecutable by a communication apparatus operating as a client of a firstserver having a referral function for referring the communicationapparatus to a second server that performs an operation requested by thecommunication apparatus, the program comprising: a requestinginstruction for sending, to the first server or the second server thatmanages information about a user of the communication apparatus, arequest for the operation for applying a use restriction of one or morefunctions of the communication apparatus; a setting instruction fordetermining whether to enable or disable a referral using the referralfunction; and a use restricting instruction for applying the userestriction of one or more functions of the communication apparatusaccording to a response to the request sent according to the requestinginstruction and the determination according to the setting instruction.24. A communication method for use in a first server having a referralfunction for referring a communication apparatus to a second server thatperforms an operation requested by the communication apparatus, and inthe communication apparatus operating as a client of the first server,comprising: a requesting step of causing the communication apparatus tosend, to the first server or the second server that manages informationabout a user of the communication apparatus, a request for the operationfor applying a use restriction of one or more functions of thecommunication apparatus; a setting step of causing the communicationapparatus to determine whether to enable or disable a referral using thereferral function; and a use restricting step of causing thecommunication apparatus to apply the use restriction of one or morefunctions of the communication apparatus according to a response to therequest sent in the requesting step and the determination in the settingstep.